[keycloak-user] Keycloak security proxy: Access token in cookie support
Jonathan Lin
jonathan at beliantech.com
Mon Sep 18 06:29:49 EDT 2017
Hi all,
I have two clients, one for the API server (bearer-only), and another for front end (public), both in the same realm.
I have set up the Security Proxy that comes with Keycloak (http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html <http://www.keycloak.org/docs/3.3/server_installation/topics/proxy.html>) with the following config. I am using Golang, hence am unable to use an official adapter.
{
"target-url": "http://localhost:9090",
"send-access-token": false,
"bind-address": "localhost",
"http-port": "8080",
"applications": [
{
"base-path": "/",
"adapter-config": {
"realm": "demo-realm",
"resource": "api-server",
"auth-server-url": "http://auth.server/auth",
"ssl-required": "external",
"enable-cors": true,
"cors-allowed-methods": "GET,POST",
"cors-allowed-headers": "Authorization",
"disable-trust-manager": true,
"bearer-only": true,
"token-store": "cookie"
},
"constraints": [
{
"pattern": "/*",
"authenticate": true
},
{
"pattern": "/bar",
"permit": true
}
]
}
]
}
This works fine with the Authorization: Bearer header, where the token was obtained by the front end public client. But I need authentication when using <img> or <object> src URL attributes as well. Hence I need to be able to send the access token via cookie. Putting “token-store”: “cookie” doesn’t seem to do anything for me.
Any pointers?
Thanks,
Jonathan
More information about the keycloak-user
mailing list